mod_evasive

Overview

mod_evasive module is aimed at protection from HTTP DoS/DDoS attacks and brute force attacks.

Quick start

Common settings for defending from DDoS attacks 

#place this code in the httpd.conf
<IfModule evasive_module>
    #optional directive (default value equals to 1024)
    DOSHashTableSize    1024
    
    #obligatory directives (if even one of them is not set, malfunctioning is possible)
    DOSPageCount        10
    DOSSiteCount        150
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
</IfModule>

Related articles and topics

Directives

Name Context Description
DOSHashTableSize S V D .h specifies the size of hash table
DOSPageCount S V D .h sets the limit for the number of requests for the same page (or URI)
DOSSiteCount S V D .h sets the limit for the total number of requests for any object by the same client on the same listener
DOSPageInterval S V D .h sets the interval for the page count threshold
DOSSiteInterval S V D .h sets the interval for the site count threshold
DOSBlockingPeriod S V D .h sets the time that a client will be blocked for if they are added to the blocking list
DOSSystemCommand S V D .h pecifies the system command to be executed whenever an IP address becomes blacklisted
DOSCloseSocket S V D .h closes network connection socket if the directive state is On

DOSHashTableSize

DOSHashTableSize directive defines the hash table size, i.e. the number of top-level nodes for each child's hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but will consume more memory for table space. It is advisable to increase this parameter on heavy load web servers.

Syntax 

DOSHashTableSize 1024|value

Example 

#increase size of hash table for large servers
DOSHashTableSize 2048

DOSPageCount

DOSPageCount directive sets the threshold for the number of requests for the same page (or URI) per page interval. Once the threshold for that interval has been exceeded, the client IP address is added to the blocking list.

Syntax 

DOSPageCount value

Example 

DOSPageCount 10

DOSSiteCount

DOSSiteCount directive sets the threshold for the total number of requests for any object by the same client on the same listener per site interval. Once the threshold for that interval has been exceeded, the client IP address is added to the blocking list.

Syntax 

DOSSiteCount value

Example 

DOSSiteCount 150

DOSPageInterval

DOSPageInterval directive sets the interval for the page count threshold. The interval is specified in seconds and may be a real number.

Syntax 

DOSPageInterval value

Example 

DOSPageInterval 1.5

DOSSiteInterval

DOSSiteInterval directive sets the interval for the site count threshold. The interval is specified in seconds and may be a real number.

Syntax 

DOSSiteInterval value

Example 

DOSSiteInterval 1.5

DOSBlockingPeriod

DOSBlockingPeriod directive sets the amount of time that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in 403 (Forbidden) response and the timer will be reset (e.g. for another 10 seconds). Since the timer is reset for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack, this timer will keep getting reset.

The interval is specified in seconds and may be a real number.

Syntax 

DOSBlockingPeriod value

Example 

DOSBlockingPeriod 10.7

DOSSystemCommand

DOSSystemCommand directive specifies the system command to be executed whenever an IP address becomes blacklisted.

Syntax 

DOSSystemCommand value

Example 

DOSSystemCommand "cscript addFirewallRuleByIP.vbs IP=%s"

DOSCloseSocket

DOSCloseSocket directive instructs mod_evasive to send 403 code and close connection socket. It means an attacker will have to create new connection and it's pretty good for you as it takes some time.

Syntax 

DOSCloseSocket On|Off

Example 

DOSCloseSocket On